The SitePoint Forums have moved.

You can now find them here.
This forum is now closed to new posts, but you can browse existing content.
You can find out more information about the move and how to open a new account (if necessary) here.
If you get stuck you can get support by emailing forums@sitepoint.com

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Below is pretty much it. Beyond this portion is text and graphics unrelated to the script. I have seen other posts and sites that suggest th password is right out in the open. Running the script brings up the prompt but that's it.

I have removed any reference to what the site is in case the password is indeed that easy to get.

<body bgcolor="#ffffff">
<p><img src=Graphics/fflscript2.jpg alt="" height="129" width="612" border="0"></p>
<p><b><font size="+3">Reference Document Center</font></b></p>
<p><br>
If you have not been given your xxxxxx Password to access these documents</p>
<p>Please call our customer service line to get yours. 1-800-xxxxxxxxx</p>
<p><br>
</p>
<p><a onclick="CSAction(new Array(/*CMP*/'2A2D2654'));return CSClickReturn()" href="#" csclick="2A2D2654">Documents </a><font size="-1">(for those with an old password use only the first 7 characters)</font></p

Firstly... font tags? eww. Secondly you seem to have the same problem as before, you should not be using JavaScript to authenticate a username and password, all verification of users should be done serverside as client-side scripts are far too easily to manipulate and bypass.

How do you mean? I certainly don't know any sites that use font tags anymore and certainly no-one uses client-side scripting for logins, just take the forum's you have been on, I would wager all of them used some kind of server-side authentication to login to make mosts in the first place.

Fonts....whatever. I was more interested in someone 'showing' me that using that form of script is vulnerable. It seems just like the other forums it's apparently not the thing to do, but no one is actually able to demonstrate why. Just talk about it.

Oh and by the way, don't drink aspartame.. 'they say' it's bad for you.
Just take my word for it.

JavaScript is plain text, it can be seen by right clicking and viewing source, all someone needs to do is navigate to the file where the login details are held and they can just take it from the source code and use it, it doesn't require demonstration, you can do it yourself from within any web browser.

"JavaScript is plain text, it can be seen by right clicking and viewing source, all someone needs to do is navigate to the file where the login details are held and they can just take it from the source code and use it, it doesn't require demonstration, you can do it yourself from within any web browser."

Ok so in the initial post is the source from that part of the page.
Where does it show the specific location of the file where the login details are held.

Presumably either in CSScriptLib.js (since that is the only JavaScript file mentioned) or in a different JavaScript file that is dynamically loaded by CSScriptLib.js. Either that or there is additional code in the page that you didn't post that either contains the code or a link to the JavaScript file that contains the code.